samovolne vypinani pc a RAM 700MB

[jaro3]

Proveď vše , co jsem psal výše.
Ještě sem za chvilku něco dodám.

Stáhni si program OTMoveIt3 (by OldTimer) a ulož si ho na disk C a spusť ho.
- Do levého sloupce (Paste Instructions for Items to be Moved) zkopíruj tyto cesty:
Poznámka: Nepoužij k označení funkci VYBRAT VŠE

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\*.tmp
c:\windows\_id.dat
c:\windows\system32\drivers\ethaqmhs.sys
c:\windows\adobe.bat

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]


Po zkopírování klikni na tlačítko MoveIt! a vlož sem následně celý obsah z pravého sloupce, jinak uložený ve složce C:\_OTMoveIt\MovedFiles\, který bude informovat o výsledcích
- Je možné, že pokud nebudou moci být soubory odstraněny, budeš dotázán na restart počítače, v tom případě restart potvrď
Zítra..

[Reklama]

[junfan]

ComboFix 09-03-04.01 - morff 2009-03-06 22:15:29.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1029.18.1023.560 [GMT 1:00]
Spuštěný z: c:\documents and settings\morff\Plocha\ComboFix.exe
Použité ovládací přepínače :: c:\documents and settings\morff\Plocha\CFScript.txt
* Vytvořen nový Bod Obnovení

FILE ::
c:\windows\system32\drivers\ethaqmhs.sys
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\morff\reader_s.exe
c:\windows\system32\8.tmp
c:\windows\system32\drivers\ethaqmhs.sys
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\reader_s.exe

. . . je infikován!!

. . . je infikován!!

. . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ethaqmhs


((((((((((((((((((((((((( Soubory vytvořené od 2009-02-06 do 2009-03-06 )))))))))))))))))))))))))))))))
.

2009-03-06 22:05 . 2009-03-06 22:05 80 --a------ c:\windows\system32\6.tmp
2009-03-06 21:54 . 2009-03-06 21:54 80 --a------ c:\windows\system32\7.tmp
2009-03-06 21:47 . 2009-03-06 21:47 80 --a------ c:\windows\system32\5.tmp
2009-03-06 21:42 . 2009-03-06 21:42 80 --a------ c:\windows\system32\3.tmp
2009-03-06 21:38 . 2009-03-06 21:38 130 --a------ c:\windows\adobe.bat
2009-03-06 21:38 . 2009-03-06 21:38 80 --a------ c:\windows\system32\46B.tmp
2009-03-06 21:38 . 2009-03-06 21:38 0 --a------ c:\windows\_id.dat
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Malwarebytes
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2009-03-06 20:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 20:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\NetworkService\Plocha
2009-03-05 20:47 . 2009-03-05 20:47 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-01 15:53 . 2009-03-01 15:53 <DIR> d-------- c:\program files\Moyea
2009-03-01 15:53 . 2009-03-01 15:53 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Moyea
2009-02-24 20:25 . 2009-02-24 20:26 <DIR> d-------- c:\program files\sdc222
2009-02-16 17:58 . 2009-02-16 18:43 <DIR> d-------- c:\program files\Belltech Business Card Designer Pro
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Plocha
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Administrator\Okolní tiskárny
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Administrator\Okolní síť
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Oblíbené položky
2009-02-08 12:53 . 2009-01-02 13:57 <DIR> d--h----- c:\documents and settings\Administrator\Šablony
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> dr------- c:\documents and settings\Administrator\Nabídka Start
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Dokumenty
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> dr-h----- c:\documents and settings\Administrator\Data aplikací
2009-02-08 12:53 . 2009-03-06 16:53 <DIR> d-------- c:\documents and settings\Administrator
2009-02-08 12:49 . 2009-02-08 12:49 <DIR> d-------- c:\documents and settings\Guest\Data aplikací\ESET
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Guest\Plocha
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Guest\Okolní tiskárny
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Guest\Okolní síť
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr------- c:\documents and settings\Guest\Oblíbené položky
2009-02-08 12:48 . 2009-01-02 13:57 <DIR> d--h----- c:\documents and settings\Guest\Šablony
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> dr------- c:\documents and settings\Guest\Nabídka Start
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr------- c:\documents and settings\Guest\Dokumenty
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr-h----- c:\documents and settings\Guest\Data aplikací
2009-02-08 12:48 . 2009-03-05 21:12 <DIR> d-------- c:\documents and settings\Guest
2009-02-07 20:21 . 2009-02-07 20:21 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Samsung
2009-02-07 20:00 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-02-07 19:57 . 2009-02-07 19:57 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-02-07 19:57 . 2005-08-30 01:49 94,000 --a------ c:\windows\system32\drivers\ssm_mdm.sys
2009-02-07 19:57 . 2005-08-30 01:47 58,320 --a------ c:\windows\system32\drivers\ssm_bus.sys
2009-02-07 19:57 . 2005-08-30 01:49 8,336 --a------ c:\windows\system32\drivers\ssm_mdfl.sys
2009-02-07 19:57 . 2005-08-30 01:49 6,176 --a------ c:\windows\system32\drivers\ssm_cmnt.sys
2009-02-07 19:57 . 2005-08-30 01:49 6,176 --a------ c:\windows\system32\drivers\ssm_cm.sys
2009-02-07 19:57 . 2005-08-30 01:47 5,840 --a------ c:\windows\system32\drivers\ssm_whnt.sys
2009-02-07 19:57 . 2005-08-30 01:47 5,840 --a------ c:\windows\system32\drivers\ssm_wh.sys
2009-02-07 19:57 . 2009-02-07 20:20 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-02-07 19:57 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-02-07 19:56 . 2009-02-07 19:56 <DIR> d-------- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 21:15 --------- d-----w c:\documents and settings\All Users\Data aplikací\Spybot - Search & Destroy
2009-03-05 19:47 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-05 16:57 --------- d-----w c:\documents and settings\morff\Data aplikací\365dni
2009-03-02 20:31 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-01 15:54 --------- d-----w c:\documents and settings\All Users\Data aplikací\FLEXnet
2009-03-01 11:56 --------- d-----w c:\program files\ICQ6.5
2009-03-01 11:56 --------- d-----w c:\documents and settings\morff\Data aplikací\ICQ
2009-02-15 19:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 19:44 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-02-07 18:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 18:53 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 19:46 --------- d-----w c:\documents and settings\morff\Data aplikací\BSplayer
2009-01-24 16:57 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-01-24 16:55 --------- dc-h--w c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 16:48 --------- d-----w c:\documents and settings\All Users\Data aplikací\Lavasoft
2009-01-22 18:01 --------- d-----w c:\program files\MultiMail
2009-01-18 16:22 --------- d--h--r c:\documents and settings\morff\Data aplikací\SecuROM
2009-01-18 16:19 --------- d-----w c:\documents and settings\morff\Data aplikací\Leadertech
2009-01-18 16:10 --------- d-----w c:\program files\EA Games
2009-01-18 15:55 --------- d-----w c:\program files\GameHouse
2009-01-18 15:55 --------- d-----w c:\documents and settings\morff\Data aplikací\GameHouse
2009-01-15 21:35 --------- d-----w c:\program files\Electronic Arts
2009-01-15 21:35 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-12 18:37 --------- d-----w c:\program files\WM Converter
2009-01-09 13:16 --------- d-----w c:\documents and settings\morff\Data aplikací\Nero
2009-01-08 19:25 --------- d-----w c:\program files\Common Files\Nero
2009-01-08 19:10 --------- d-----w c:\program files\Nero
2009-01-08 19:03 --------- d-----w c:\documents and settings\All Users\Data aplikací\Nero
2009-01-08 08:03 22,328 ----a-w c:\documents and settings\morff\Data aplikací\PnkBstrK.sys
2009-01-08 07:54 --------- d-----w c:\program files\Activision
2009-01-06 17:01 --------- d-----w c:\program files\Trend Micro
2009-01-06 16:25 --------- d-----w c:\documents and settings\morff\Data aplikací\Software Informer
2009-01-06 16:24 --------- d-----w c:\documents and settings\morff\Data aplikací\IObit
2009-01-06 15:58 --------- d-----w c:\documents and settings\All Users\Data aplikací\Sandlot Games
2009-01-06 15:57 --------- d-----w c:\documents and settings\All Users\Data aplikací\n7-89-o9-3r-4t-r9
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800} ----

2009-01-24 17:55 9031 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.par
2009-01-24 17:55 90 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\instance.dat
2009-01-24 17:55 9 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.lan
2009-01-24 17:55 495 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.dat
2009-01-18 22:43 578782 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\mia.lib
2009-01-18 22:43 569856 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.msi
2009-01-18 22:43 5113482 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.res
2009-01-18 22:43 2892112 --a--c--- c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe

---- Directory of c:\documents and settings\All Users\Data aplikací\n7-89-o9-3r-4t-r9 ----

2009-01-18 16:55 88 --a------ c:\documents and settings\All Users\Data aplikací\n7-89-o9-3r-4t-r9\profile.ini


------- Sigcheck -------

2004-08-18 13:00 182912 1df7f42665c94b825322fae71721130d c:\windows\$NtServicePackUninstall$\ndis.sys
2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\ServicePackFiles\i386\ndis.sys
2008-04-13 20:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\50ce127b6bb5262be7f814de23be86b4\ndis.sys
2009-03-05 20:47 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\dllcache\ndis.sys
2009-03-05 20:47 213120 1df7f42665c94b825322fae71721130d c:\windows\system32\drivers\ndis.sys

2008-04-14 04:22 1051648 6b779dcafc80621bac9f9874565d5535 c:\windows\explorer.exe
2004-08-18 13:00 1050112 3f19cedbe63d47356a51cae8f6d29aed c:\windows\$NtServicePackUninstall$\explorer.exe
2008-04-14 04:22 1051648 0776dd339c556f960479c2da396d2f71 c:\windows\ServicePackFiles\i386\explorer.exe
2008-04-14 04:22 1051648 abfdad25a547ae1f2726b3ccb76934bc c:\windows\SoftwareDistribution\Download\50ce127b6bb5262be7f814de23be86b4\explorer.exe

2004-08-18 13:00 32768 c0e518c5efbae4a5c85b8441172cd2d0 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 04:22 32768 4f5235b1ff2263def5e4d4c30cf8bf33 c:\windows\ServicePackFiles\i386\ctfmon.exe
2008-04-14 04:22 32768 314c2d5b1ce44bbbca2ea0b66ec5dc83 c:\windows\SoftwareDistribution\Download\50ce127b6bb5262be7f814de23be86b4\ctfmon.exe
2008-04-14 04:22 32768 365544d518ba869bf4366e2136a82793 c:\windows\system32\ctfmon.exe

2004-08-18 13:00 75264 6b44f97ac5974d6d67acf9c8f85cc23a c:\windows\$NtServicePackUninstall$\spoolsv.exe
2008-04-14 04:22 75264 ff90a709f9a7c3bafb537eb206eb240d c:\windows\ServicePackFiles\i386\spoolsv.exe
2008-04-14 04:22 75264 e387bd0828634c9e264f01cf199e27be c:\windows\SoftwareDistribution\Download\50ce127b6bb5262be7f814de23be86b4\spoolsv.exe
2008-04-14 04:22 75264 2105cb77a16b161ec9e3ceb154497eae c:\windows\system32\spoolsv.exe

2004-08-18 13:00 41984 5a26f8467b3ea2d2f504d508350815e7 c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-14 04:22 43520 51d339b7368d9f6d787efee246abb7bb c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-14 04:22 43520 864dc79f0c3e143de3f8645c9eb57966 c:\windows\SoftwareDistribution\Download\50ce127b6bb5262be7f814de23be86b4\userinit.exe
2008-04-14 04:22 43520 8d44dc140ea75044d6856be524b85b0b c:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-03-06_22.08.14.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 19:02:28 184,320 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 184,832 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 184,320 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-03-06 21:05:29 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-03-06 21:23:53 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-03-06 21:05:29 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-03-06 21:23:53 49,152 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-03-06 20:54:25 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030620090307\index.dat
+ 2009-03-06 21:23:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012009030620090307\index.dat
- 2009-03-06 21:05:29 163,840 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-06 21:23:53 163,840 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"365dni"="c:\program files\365dníNET\365dniNET.exe" [2007-01-06 774144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 32768]
"reader_s"="c:\documents and settings\morff\reader_s.exe" [2009-03-06 33280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"reader_s"="c:\windows\System32\reader_s.exe" [2009-03-06 33280]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 c:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 32768]
"reader_s"="c:\documents and settings\morff\reader_s.exe" [2009-03-06 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\explorer.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= c:\progra~1\ACEMEG~1\SystemS\Intel\iac25_32.ax
"msacm.sl_anet"= c:\progra~1\ACEMEG~1\SystemS\sl_anet.acm
"vidc.yv12"= c:\progra~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= c:\progra~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= c:\progra~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= c:\progra~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"msacm.msaudio1"= c:\progra~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-24 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 950096]
R3 PSched;Plánovač paketů technologie QoS;c:\windows\system32\drivers\psched.sys [2004-08-18 69120]
.
Obsah adresáře 'Naplánované úlohy'

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 17:57]

2009-03-06 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-07 06:35]
.
.
------- Doplňkový sken -------
.
uStart Page = hxxp://www.seznam.cz/
IE: E&xportovat do aplikace Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\documents and settings\morff\Data aplikací\Mozilla\Firefox\Profiles\kf4z2ags.default\
FF - prefs.js: browser.search.selectedEngine - ICQ Search
FF - prefs.js: browser.startup.homepage - About:Blank
FF - prefs.js: keyword.URL - hxxp://search.icq.com/search/afe_result ... id=afex&q=
FF - component: c:\program files\BS.Player ControlBar\FirefoxDTT\components\BSToolbarFF.dll

---- NASTAVENÍ FIREFOXU ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".cz");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-06 22:23:47
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...


c:\windows\system32\reader_s.exe 33280 bytes executable
c:\windows\system32\8.tmp 80 bytes
c:\windows\system32\9.tmp 38913 bytes executable

sken byl úspešně dokončen
skryté soubory: 3

**************************************************************************
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Celkový čas: 2009-03-06 22:26:59 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-03-06 21:26:56
ComboFix2.txt 2009-03-06 21:09:09

Před spuštěním: Volných bajtů: 51 941 347 328
Po spuštění: Volných bajtů: 51,833,978,880

273 --- E O F --- 2009-02-25 14:50:56








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:28:02, on 6.3.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\reader_s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.seznam.cz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Odkazy
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: BS.Player ControlBar - {2C688203-7EB3-4327-9995-1CB417BA23F9} - C:\Program Files\BS.Player ControlBar\BSToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKCU\..\Run: [365dni] C:\Program Files\365dníNET\365dniNET.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\morff\reader_s.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [reader_s] C:\Documents and Settings\morff\reader_s.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportovat do aplikace Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Odeslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Od&eslat do aplikace OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0903852000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 0916758453
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 6304 bytes

[junfan]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\system32\3.tmp moved successfully.
c:\windows\system32\46B.tmp moved successfully.
c:\windows\system32\5.tmp moved successfully.
c:\windows\system32\6.tmp moved successfully.
c:\windows\system32\7.tmp moved successfully.
c:\windows\system32\8.tmp moved successfully.
c:\windows\system32\9.tmp moved successfully.
c:\windows\_id.dat moved successfully.
File/Folder c:\windows\system32\drivers\ethaqmhs.sys not found.
c:\windows\adobe.bat moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\MSHist012009030620090307\index.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03062009_223035

Files moved on Reboot...
C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\MSHist012009030620090307\index.dat moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

[jaro3]

Použij znovu OTMoveIt3 s tímto scriptem:

Kód: Vybrat vše

:Processes
explorer.exe

:Services

:Reg
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reader_s"="c:\documents and settings\morff\reader_s.exe"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"reader_s"="c:\windows\System32\reader_s.exe"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"reader_s"="c:\documents and settings\morff\reader_s.exe"=-

:Files
c:\windows\system32\*.tmp
c:\documents and settings\morff\reader_s.exe
c:\windows\System32\reader_s.exe

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]


Postup stejný.
Poté znovu odinstaluj Combofix smaž qoobox, stáhni nový a dej sem z něho log.
Stáhni si free Aviru
http://www.free-av.com/en/download/1/av ... virus.html
nebo Avast či AVG a nainstaluj a proveď sken.
Poté si stáhni SuperAntiSpyware a proveď s tím sken.
http://www.superantispyware.com/downloa ... PYWAREFREE

[junfan]

Zdravim... Pri startu pc Ad-aware vzdy neco najde a zablokuje.. Pri scanu SUPERAntiSpyware se nekde v polovine sam restartuje pc (vyzkouseno 3x)




========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\reader_s"="c:\documents and settings\morff\reader_s.exe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\reader_s"="c:\windows\System32\reader_s.exe not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\reader_s"="c:\documents and settings\morff\reader_s.exe not found.
========== FILES ==========
c:\windows\system32\4.tmp moved successfully.
c:\windows\system32\5.tmp moved successfully.
c:\windows\system32\6.tmp moved successfully.
c:\windows\system32\8.tmp moved successfully.
c:\documents and settings\morff\reader_s.exe moved successfully.
c:\windows\System32\reader_s.exe moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\N1R3NIZ5\ads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\N1R3NIZ5\viewtopic[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MW2VAA5R\ads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\MSHist012009030720090308\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\morff\LOCALS~1\Temp\Cookies\index.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03072009_142224

Files moved on Reboot...
C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\N1R3NIZ5\ads[1].htm moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\N1R3NIZ5\viewtopic[1].htm moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\MW2VAA5R\ads[1].htm moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\index.dat moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\MSHist012009030720090308\index.dat moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\History\History.IE5\index.dat moved successfully.
C:\DOCUME~1\morff\LOCALS~1\Temp\Cookies\index.dat moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.








ComboFix 09-03-06.02 - morff 2009-03-07 16:21:17.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1250.1.1029.18.1023.586 [GMT 1:00]
Spuštěný z: c:\documents and settings\morff\Plocha\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Vytvořen nový Bod Obnovení
.

((((((((((((((((((((((((((((((((((((((( Ostatní výmazy )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\morff\reader_s.exe
c:\windows\services.exe
c:\windows\system32\6.tmp
c:\windows\system32\8.tmp
c:\windows\system32\9.tmp
c:\windows\system32\A.tmp
c:\windows\system32\C.tmp
c:\windows\system32\drivers\ntndis.sys
c:\windows\system32\reader_s.exe

. . . je infikován!!

. . . je infikován!!

. . . je infikován!!

.
((((((((((((((((((((((((((((((((((((((( Ovladače/Služby )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_restore


((((((((((((((((((((((((( Soubory vytvořené od 2009-02-07 do 2009-03-07 )))))))))))))))))))))))))))))))
.

2009-03-07 15:56 . 2009-03-07 15:56 80 --a------ c:\windows\system32\7.tmp
2009-03-07 15:48 . 2009-03-07 15:48 80 --a------ c:\windows\system32\5.tmp
2009-03-07 15:36 . 2009-03-07 15:36 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-07 15:36 . 2009-03-07 15:36 <DIR> d-------- c:\documents and settings\morff\Data aplikací\SUPERAntiSpyware.com
2009-03-07 15:36 . 2009-03-07 15:36 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\SUPERAntiSpyware.com
2009-03-07 15:34 . 2009-03-07 15:34 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-07 14:36 . 2009-03-07 14:36 <DIR> d-------- c:\program files\Avira
2009-03-07 14:36 . 2009-03-07 14:36 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Avira
2009-03-07 14:24 . 2009-03-07 14:24 80 --a------ c:\windows\system32\4.tmp
2009-03-06 22:29 . 2009-03-06 22:29 368,640 --a------ C:\OTMoveIt3.exe
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Malwarebytes
2009-03-06 20:16 . 2009-03-06 20:16 <DIR> d-------- c:\documents and settings\All Users\Data aplikací\Malwarebytes
2009-03-06 20:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-06 20:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 16:58 . 2009-03-06 16:58 <DIR> d-------- c:\documents and settings\NetworkService\Plocha
2009-03-05 20:47 . 2009-03-05 20:47 182,656 --a--c--- c:\windows\system32\dllcache\ndis.sys
2009-03-01 15:53 . 2009-03-01 15:53 <DIR> d-------- c:\program files\Moyea
2009-03-01 15:53 . 2009-03-01 15:53 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Moyea
2009-02-24 20:25 . 2009-02-24 20:26 <DIR> d-------- c:\program files\sdc222
2009-02-16 17:58 . 2009-02-16 18:43 <DIR> d-------- c:\program files\Belltech Business Card Designer Pro
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Plocha
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Administrator\Okolní tiskárny
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Administrator\Okolní síť
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Oblíbené položky
2009-02-08 12:53 . 2009-01-02 13:57 <DIR> d--h----- c:\documents and settings\Administrator\Šablony
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> dr------- c:\documents and settings\Administrator\Nabídka Start
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Administrator\Dokumenty
2009-02-08 12:53 . 2009-01-02 14:43 <DIR> dr-h----- c:\documents and settings\Administrator\Data aplikací
2009-02-08 12:53 . 2009-03-06 16:53 <DIR> d-------- c:\documents and settings\Administrator
2009-02-08 12:49 . 2009-02-08 12:49 <DIR> d-------- c:\documents and settings\Guest\Data aplikací\ESET
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d-------- c:\documents and settings\Guest\Plocha
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Guest\Okolní tiskárny
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> d--h----- c:\documents and settings\Guest\Okolní síť
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr------- c:\documents and settings\Guest\Oblíbené položky
2009-02-08 12:48 . 2009-01-02 13:57 <DIR> d--h----- c:\documents and settings\Guest\Šablony
2009-02-08 12:48 . 2009-01-02 14:43 <DIR> dr------- c:\documents and settings\Guest\Nabídka Start
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr------- c:\documents and settings\Guest\Dokumenty
2009-02-08 12:48 . 2009-02-08 12:49 <DIR> dr-h----- c:\documents and settings\Guest\Data aplikací
2009-02-08 12:48 . 2009-03-05 21:12 <DIR> d-------- c:\documents and settings\Guest
2009-02-07 20:21 . 2009-02-07 20:21 <DIR> d-------- c:\documents and settings\morff\Data aplikací\Samsung
2009-02-07 20:00 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-02-07 19:57 . 2009-02-07 19:57 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-02-07 19:57 . 2005-08-30 01:49 94,000 --a------ c:\windows\system32\drivers\ssm_mdm.sys
2009-02-07 19:57 . 2005-08-30 01:47 58,320 --a------ c:\windows\system32\drivers\ssm_bus.sys
2009-02-07 19:57 . 2005-08-30 01:49 8,336 --a------ c:\windows\system32\drivers\ssm_mdfl.sys
2009-02-07 19:57 . 2005-08-30 01:49 6,176 --a------ c:\windows\system32\drivers\ssm_cmnt.sys
2009-02-07 19:57 . 2005-08-30 01:49 6,176 --a------ c:\windows\system32\drivers\ssm_cm.sys
2009-02-07 19:57 . 2005-08-30 01:47 5,840 --a------ c:\windows\system32\drivers\ssm_whnt.sys
2009-02-07 19:57 . 2005-08-30 01:47 5,840 --a------ c:\windows\system32\drivers\ssm_wh.sys
2009-02-07 19:57 . 2009-02-07 20:20 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-02-07 19:57 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-02-07 19:56 . 2009-02-07 19:56 <DIR> d-------- c:\program files\Samsung

.
(((((((((((((((((((((((((((((((((((((((( Find3M výpis ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-07 14:02 --------- d-----w c:\program files\WM Converter
2009-03-07 13:44 --------- d-----w c:\program files\365dníNET
2009-03-05 21:15 --------- d-----w c:\documents and settings\All Users\Data aplikací\Spybot - Search & Destroy
2009-03-05 19:47 182,656 ----a-w c:\windows\system32\drivers\ndis.sys
2009-03-05 16:57 --------- d-----w c:\documents and settings\morff\Data aplikací\365dni
2009-03-02 20:31 138,184 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-03-01 15:54 --------- d-----w c:\documents and settings\All Users\Data aplikací\FLEXnet
2009-03-01 11:56 --------- d-----w c:\program files\ICQ6.5
2009-03-01 11:56 --------- d-----w c:\documents and settings\morff\Data aplikací\ICQ
2009-02-15 19:45 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-11 19:44 --------- d-----w c:\documents and settings\All Users\Data aplikací\Microsoft Help
2009-02-07 18:56 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-07 18:53 --------- d-----w c:\program files\Common Files\Adobe
2009-01-30 19:46 --------- d-----w c:\documents and settings\morff\Data aplikací\BSplayer
2009-01-24 16:57 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-01-24 16:55 --------- dc-h--w c:\documents and settings\All Users\Data aplikací\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-24 16:48 --------- d-----w c:\documents and settings\All Users\Data aplikací\Lavasoft
2009-01-22 18:01 --------- d-----w c:\program files\MultiMail
2009-01-18 16:22 --------- d--h--r c:\documents and settings\morff\Data aplikací\SecuROM
2009-01-18 16:19 --------- d-----w c:\documents and settings\morff\Data aplikací\Leadertech
2009-01-18 16:10 --------- d-----w c:\program files\EA Games
2009-01-18 15:55 --------- d-----w c:\program files\GameHouse
2009-01-18 15:55 --------- d-----w c:\documents and settings\morff\Data aplikací\GameHouse
2009-01-15 21:35 --------- d-----w c:\program files\Electronic Arts
2009-01-15 21:35 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-09 13:16 --------- d-----w c:\documents and settings\morff\Data aplikací\Nero
2009-01-08 19:25 --------- d-----w c:\program files\Common Files\Nero
2009-01-08 19:10 --------- d-----w c:\program files\Nero
2009-01-08 19:03 --------- d-----w c:\documents and settings\All Users\Data aplikací\Nero
2009-01-08 08:03 22,328 ----a-w c:\documents and settings\morff\Data aplikací\PnkBstrK.sys
2009-01-08 07:54 --------- d-----w c:\program files\Activision
.

(((((((((((((((((((((((((((((((((( Spouštěcí body v registru )))))))))))))))))))))))))))))))))))))))))))))
.
.
*Poznámka* prázdné záznamy a legitimní výchozí údaje nejsou zobrazeny.
REGEDIT4

SafeBoot klíč v registru musí být opraven. Tento počítač nemůže nastartovat do Nouzového Režimu.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

NETSVCS REQUIRES REPAIRS - current entries shown

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

.
Obsah adresáře 'Naplánované úlohy'

2009-03-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 17:57]

2009-03-06 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe [2004-06-07 06:35]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 16:32:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwOpenFile

skenování skrytých procesů ...

skenování skrytých položek 'Po spuštění' ...

skenování skrytých souborů ...

sken byl úspešně dokončen
skryté soubory: 0

**************************************************************************
.
--------------------- Knihovny navázané na běžící procesy ---------------------

- - - - - - - > 'winlogon.exe'(780)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Jiné spuštené procesy ------------------------
.
c:\program files\Lavasoft\Ad-Aware\AAWService.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\temp\BN2.tmp
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
c:\windows\system32\rundll32.exe
c:\windows\RTHDCPL.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
c:\qoobox\Quarantine\C\WINDOWS\system32\reader_s.exe.vir
c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
c:\documents and settings\morff\reader_s.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Celkový čas: 2009-03-07 16:34:49 - počítač byl restartován
ComboFix-quarantined-files.txt 2009-03-07 15:34:45

Před spuštěním: Volných bajtů: 51 766 243 328
Po spuštění: Volných bajtů: 51,712,143,360

Sets=
190

[junfan]

Tohle je hodne promyslenej vir.. Koukam ze jsem na tom hur a hur...

[junfan]

Avira: pocet nalezenych objektu 71

TR/Crypt.U.Gen Trojan
TR/Dropper.Gen Trojan
SYMBOS/Drever.A Symbian virus
BDS/Generic.46305
DR/ActualSpy.O dropper
TR/Crypt.XPACK.Gen Trojan

[jaro3]

Všechno , co našel antivir smaž..Pořád se obnovuje ten reader_s.exe

Oprav nouz. režim:
Stáhni si :
SafeBootKeyRepair
http://download.bleepingcomputer.com/sU ... Repair.exe

- stačí jen spustit, popřípade potvrdit výzvy programu.

Pokud Ti pak půjde nouz. režim , tak v něm najdi a smaž:
c:\windows\temp\BN2.tmp
c:\documents and settings\morff\reader_s.exe
c:\windows\system32\7.tmp
c:\windows\system32\5.tmp
c:\windows\system32\4.tmp
******************************************************************************************************************************************
Stáhni si : Dr. Web CureIt
http://www.studna.cz/go/download/fid/48 ... 8c7f27dce2
dej update , po aktualizaci dej start.
Tlacitky dole muzeš soubor léčit, smazat, přesunout nebo přejmenovat.

[junfan]

Vse se podarilo vymazat.. Jen reader_s.exe nebyl v documents and settings, ale v Prefetch..
C:WINDOWS\SWSC.exe - TR/Crypt.U.Gen detekoval: Avira... Dal jsem Delate
Jdu na Dr. Web CureIt

[junfan]

Scan hotovej... Jdu na restart



365dninet.exe;c:\program files\365dnínet;Win32.Virut.56;Vyléčen.;
idrivert.exe;c:\program files\common files\installshield\driver\11\intel 32;Win32.Virut.56;Vyléčen.;
hphped05.exe;c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\pexpress;Win32.Virut.56;Vyléčen.;
msmsgs.exe;c:\program files\messenger;Win32.Virut.56;Vyléčen.;
setup50.exe;c:\program files\outlook express;Win32.Virut.56;Vyléčen.;
explorer.exe;c:\windows;Win32.Virut.56;Vyléčen.;
unregmp2.exe;c:\windows\inf;Win32.Virut.56;Vyléčen.;
xpnetdiag.exe;c:\windows\network diagnostic;Win32.Virut.56;Vyléčen.;
rthdcpl.exe;c:\windows;Win32.Virut.56;Vyléčen.;
skytel.exe;c:\windows;Win32.Virut.56;Vyléčen.;
alg.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
cisvc.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
clipsrv.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
ctfmon.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
dllhost.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
dmadmin.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
hpzipm12.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
ie4uinit.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
ieudinit.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
imapi.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
locator.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
logon.scr;c:\windows\system32;Win32.Virut.56;Vyléčen.;
logonui.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
mnmsrvc.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
msdtc.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
msiexec.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
netdde.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
ntsd.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
nwiz.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
qttask.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
regsvr32.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
rsvp.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
rundll32.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
scardsvr.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
sessmgr.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
shmgrate.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
smlogsvc.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
spoolsv.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
ups.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
vssvc.exe;c:\windows\system32;Win32.Virut.56;Vyléčen.;
unsecapp.exe;c:\windows\system32\wbem;Win32.Virut.56;Vyléčen.;
winmgmt.exe;c:\windows\system32\wbem;Win32.Virut.56;Vyléčen.;
wmiapsrv.exe;c:\windows\system32\wbem;Win32.Virut.56;Vyléčen.;
wmiprvse.exe;c:\windows\system32\wbem;Win32.Virut.56;Vyléčen.;

[junfan]

System se zda vylecen, ale je tu problem se sitovkou.. Preinstalovat se mi to nedari..
http://www.asrock.com/mb/download.asp?M ... 33-Viiv&s=
Posilam screen

[jaro3]

ComboFix se odinstaluje takto:
Start-Spustit a zadej ComboFix[mezera]/u

vyčisti systém CCleanerem
a použij i T-Cleaner
smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš>spustíš

Stáhni si ATF Cleaner
Poklepej na ATF Cleaner.exe, klikni select all found, pak klik empty selected.
Pokud chceš zachovat svoje uložená hesla, klikni na No.
ATF-Cleaner je jednoduchý nástroj na odstranění historie z webového prohlížeče. Program dokáže odstranit cache, cookies, historii a další stopy po surfování na Internetu. Mezi podporované prohlížeče patří Internet Explorer, Firefox a Opera. Aplikace navíc umí odstranit dočasné soubory Windows, vysypat koš atd.
*****************************************************************************************************************************************
Otevři si Poznámkový blok (Start -> Spustit... a napiš do okna Notepad a dej Ok.
Zkopíruj do něj následující celý text označený zeleně:
Poznámka: Nepoužij k označení skriptu funkci VYBRAT VŠE

Kód: Vybrat vše

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"=-
"netsvcs"=hex(7):36,00,74,00,6f,00,34,00,00,00,41,00,70,00,70,00,4d,00,67,00,\
  6d,00,74,00,00,00,41,00,75,00,64,00,69,00,6f,00,53,00,72,00,76,00,00,00,42,\
  00,72,00,6f,00,77,00,73,00,65,00,72,00,00,00,43,00,72,00,79,00,70,00,74,00,\
  53,00,76,00,63,00,00,00,44,00,4d,00,53,00,65,00,72,00,76,00,65,00,72,00,00,\
  00,44,00,48,00,43,00,50,00,00,00,45,00,52,00,53,00,76,00,63,00,00,00,45,00,\
  76,00,65,00,6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,46,00,61,\
  00,73,00,74,00,55,00,73,00,65,00,72,00,53,00,77,00,69,00,74,00,63,00,68,00,\
  69,00,6e,00,67,00,43,00,6f,00,6d,00,70,00,61,00,74,00,69,00,62,00,69,00,6c,\
  00,69,00,74,00,79,00,00,00,48,00,69,00,64,00,53,00,65,00,72,00,76,00,00,00,\
  49,00,61,00,73,00,00,00,49,00,70,00,72,00,69,00,70,00,00,00,49,00,72,00,6d,\
  00,6f,00,6e,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,53,00,65,00,72,00,\
  76,00,65,00,72,00,00,00,4c,00,61,00,6e,00,6d,00,61,00,6e,00,57,00,6f,00,72,\
  00,6b,00,73,00,74,00,61,00,74,00,69,00,6f,00,6e,00,00,00,4d,00,65,00,73,00,\
  73,00,65,00,6e,00,67,00,65,00,72,00,00,00,4e,00,65,00,74,00,6d,00,61,00,6e,\
  00,00,00,4e,00,6c,00,61,00,00,00,4e,00,74,00,6d,00,73,00,73,00,76,00,63,00,\
  00,00,4e,00,57,00,43,00,57,00,6f,00,72,00,6b,00,73,00,74,00,61,00,74,00,69,\
  00,6f,00,6e,00,00,00,4e,00,77,00,73,00,61,00,70,00,61,00,67,00,65,00,6e,00,\
  74,00,00,00,52,00,61,00,73,00,61,00,75,00,74,00,6f,00,00,00,52,00,61,00,73,\
  00,6d,00,61,00,6e,00,00,00,52,00,65,00,6d,00,6f,00,74,00,65,00,61,00,63,00,\
  63,00,65,00,73,00,73,00,00,00,53,00,63,00,68,00,65,00,64,00,75,00,6c,00,65,\
  00,00,00,53,00,65,00,63,00,6c,00,6f,00,67,00,6f,00,6e,00,00,00,53,00,45,00,\
  4e,00,53,00,00,00,53,00,68,00,61,00,72,00,65,00,64,00,61,00,63,00,63,00,65,\
  00,73,00,73,00,00,00,53,00,52,00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,\
  00,00,54,00,61,00,70,00,69,00,73,00,72,00,76,00,00,00,54,00,68,00,65,00,6d,\
  00,65,00,73,00,00,00,54,00,72,00,6b,00,57,00,6b,00,73,00,00,00,57,00,33,00,\
  32,00,54,00,69,00,6d,00,65,00,00,00,57,00,5a,00,43,00,53,00,56,00,43,00,00,\
  00,57,00,6d,00,69,00,00,00,57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,70,00,\
  00,00,77,00,69,00,6e,00,6d,00,67,00,6d,00,74,00,00,00,54,00,65,00,72,00,6d,\
  00,53,00,65,00,72,00,76,00,69,00,63,00,65,00,00,00,77,00,75,00,61,00,75,00,\
  73,00,65,00,72,00,76,00,00,00,42,00,49,00,54,00,53,00,00,00,53,00,68,00,65,\
  00,6c,00,6c,00,48,00,57,00,44,00,65,00,74,00,65,00,63,00,74,00,69,00,6f,00,\
  6e,00,00,00,68,00,65,00,6c,00,70,00,73,00,76,00,63,00,00,00,78,00,6d,00,6c,\
  00,70,00,72,00,6f,00,76,00,00,00,77,00,73,00,63,00,73,00,76,00,63,00,00,00,\
  57,00,6d,00,64,00,6d,00,50,00,6d,00,53,00,4e,00,00,00,00,00


Zvol možnost Soubor -> Uložit jako... a nastav tyto parametry:
Název souboru: zde napiš: FIX.REG
Uložit jako typ: tak tam vyber Všechny soubory
Ulož soubor na plochu.
Ukonči všechna aktivní okna.
Poklikej na soubor fix.reg na ploše.

vlož sem pak ještě nový log z HJT.